More like this

Third of US banks OK with passwords even social networks reject

Hellooo? Can anyone explain the logic?

Six of 17 major US banks have weaker password enforcement procedures than most social networking websites, according to a new study by an American university.

The banks ask users to set up passwords that include letters and special symbols, but a study by researchers at the University of New Haven shows that in around a third of cases these passwords may not be case sensitive. This means any combination of upper and lower case letters might work. Ignoring case sensitivity reduces the entropy of login credentials, making them less resistant to cracking as a result.

"We were very surprised when we learned that banks have fewer requirements for passwords than social media sites," said Walter Gordillo, '16 of Norwalk, Connecticut, a cyber systems major who took a lead on the University of New Haven Cyber Forensic Research and Education Group (UNHcFREG) project.

Banks with the issues include Wells Fargo (70 million customers), Capital One (50 million customers), BB&T, Webster First Federal Credit Union, Chase Bank (50 million customers), and Citibank (200 million customers).

El Reg contacted PR representatives of Wells Fargo, Capital One and Chase Bank as well as US banking organisations (Financial Services Information Sharing and Analysis Center (FS-ISAC) and Financial Services Roundtable (FSR)) for reaction to the study. We're yet to hear back, but will update this story as and when we hear more.

Frank Breitinger, UNH assistant professor and co-director of UNHcFREG, oversaw the study, which was carried out by UNH undergraduates in an introduction to computer security course. "Consumers believe that banks with several million customers should have strong security mechanisms in place to protect accounts, starting with password policies," Breitinger argued.

The research group attempted to contact the banks through their regular hotlines to inform them about what they had found and to ask for a statement in reaction to the findings of the research.

"It turned out that it is almost impossible to contact and notify them about a security issue," Breitinger said.

"Our findings raise an important question: why do social networking platforms and many others not related to personal and business finances adopt much stricter password policies?" Breitinger asked.

It would be wrong to regard social media profiles as thruway items that are therefore ill-deserving of rigorous password security policies, according to Thorsheim.

"Social media sites actually keep a lot more sensitive information about you than any bank will probably ever do. At the same time, people tend to consider their money more important than information, pictures & videos of themselves, family, friends and colleagues."

Password security is only one component of online safety. In particular, two-factor authentication (2FA) controls are used by many banks to safeguard against account takeover and fraud, Thorsheim added.

"Examining the password policy by itself is interesting, there's no mention of two-factor authentication such as software or hardware tokens or biometrics, fraud detection."

"I am sure that the affected banks have all done their financial and market risk analysis to justify their security, with perhaps the biggest consideration being 'if we [make] it harder to log in compared to our competition, we may lose customers'," Thorsheim concluded. ®